Can splunk Enterpise import Threat intelligence in...

netinstall · ‎07-28-2017

As the subject, can splunk enterprise import Threat Intelligence in STIX and XML format with less features in Splunk Enterprise as I only have splunk Enterprise but no Splunk ES? (But the Splunk ES had many features seem to be not very useful and we only want to try the threat intelligence part.

Splunk ES can do it by below method, any similar thing in Splunk Enterprise?

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Addthreatintel

http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Uploadthreatfile

klaxdal · ‎08-01-2017

Why not try Splunk SA- Splice ? Does a great job

https://splunkbase.splunk.com/app/2637/

adonio · ‎07-29-2017

hello there,
i don t see why cant you do it in Splunk Core.
you can create a modular input or a scripted input to look for these files and either index them or upload as a lookup so you can run searches and correlation against them.
with not much effort, i was able to use that link: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Downloadthreatfeed#Add_a_URL-based_threat_source
downloaded the "ransomware_domain_blocklist" from here:
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
and uploaded as a lookup table to my splunk, see screenshot:

you can use this method for STIX and all other online lists.
the challenge is to keep them updated. and thats where a scripted input or modular input comes in handy.
hope it helps

Can splunk Enterpise import Threat intelligence in STIX and XML format (Not splunk Enterprise Security)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...